RE: [Cooker-firewall] Ports Forward and Proxy Problems
Hi Florin . :) Are there any .iso's on any of the cooker's ? Ingo -Original Message- From: Florin [mailto:[EMAIL PROTECTED]] Sent: Friday, November 23, 2001 10:32 AM To: [EMAIL PROTECTED] Subject: Re: [Cooker-firewall] Ports Forward and Proxy Problems "Paul Smith" <[EMAIL PROTECTED]> writes: > Old version of SNF? Is there a new one I have somehow missed? > N E W V E R S I O NO NC O O K E R yes it's been a week already. there is already a new working 2.4 kernel version on cooker. Simply take the snf package, a virtual package that will require everything you need. cheers, -- Florin http://www.mandrakesoft.com
Re: [Cooker-firewall] Ports Forward and Proxy Problems
will configuration backups from the 'old' snf work and if so is that all that is required to have the new snf up and running or is configuration from scratch necessary? bascule On Friday 23 Nov 2001 2:31 pm, you wrote: > "Paul Smith" <[EMAIL PROTECTED]> writes: > > Old version of SNF? Is there a new one I have somehow missed? > > N E W V E R S I O NO NC O O K E R yes it's been a week > already. > > there is already a new working 2.4 kernel version on cooker. Simply take > the snf package, a virtual package that will require everything you need. > > cheers,
Re: [Cooker-firewall] Ports Forward and Proxy Problems
Denis HAVLIK <[EMAIL PROTECTED]> writes: > On 23 Nov 2001, Florin wrote: > > + N E W V E R S I O NO NC O O K E R yes it's been a week already. > + > + there is already a new working 2.4 kernel version on cooker. Simply take the snf > + package, a virtual package that will require everything you need. > > Florin, > > Should I kill you now, or later?;-) > > hmmm, later ;o) ? -- Florin http://www.mandrakesoft.com
Re: [Cooker-firewall] Ports Forward and Proxy Problems
On 23 Nov 2001, Florin wrote: + N E W V E R S I O NO NC O O K E R yes it's been a week already. + + there is already a new working 2.4 kernel version on cooker. Simply take the snf + package, a virtual package that will require everything you need. Florin, Should I kill you now, or later?;-)
Re: [Cooker-firewall] Ports Forward and Proxy Problems
"Paul Smith" <[EMAIL PROTECTED]> writes: > Old version of SNF? Is there a new one I have somehow missed? > N E W V E R S I O NO NC O O K E R yes it's been a week already. there is already a new working 2.4 kernel version on cooker. Simply take the snf package, a virtual package that will require everything you need. cheers, -- Florin http://www.mandrakesoft.com
Re: [Cooker-firewall] Ports Forward and Proxy Problems
On Fri, 23 Nov 2001, Paul Smith wrote: + Old version of SNF? Is there a new one I have somehow missed? Florin is working on a new version.
Re: [Cooker-firewall] Ports Forward and Proxy Problems
Old version of SNF? Is there a new one I have somehow missed? --- Paul W. Smith Network Operations Analyst MCP, CLA, CRA, BCCA Enterprise Services Metafore T: 416-778-1300 x7366 F: 416-778-8917 [EMAIL PROTECTED] http://www.metafore.ca Anywhere, anytime. 360 degrees by 365 days. |+-> || Florin | || | || Sent by: | || florin@mandrake| || soft.com | || | || | || 11/23/2001 | || 09:02 AM | || Please respond | || to | || cooker-firewall| || | |+-> >--| | | | To: <[EMAIL PROTECTED]> | | cc: <[EMAIL PROTECTED]> | | Subject: Re: [Cooker-firewall] Ports Forward and Proxy Problems | >--| "Gael Martin" <[EMAIL PROTECTED]> writes: > Hi > Well here it doesn't. > All I've done is go to add port 21 and 80 and forward it to the respective > machine. But as soon as I put 21 it just blocks the HTTP traffic. The > browser says, "Web Site found. Waiting for reply" and stay like that for > ever. > It seems that the packet don't get to the internal machine when port 21 is > open. Now if I open 22 instead it works but not the FTP though. > I'm sending you screen shots of the 3 tabs so you can tell me if I'm doing > anything wrong. > > Gael Hello there, I have just installed the old version of the snf and you are absolutely right, there is a problem with squid and ftp port-forwarding ... I'll have a look again and try to find the bug ... Thank you ... I have never seen this before. I have received your screenshots and everything seems fine. cheers, -- Florin http://www.mandrakesoft.com
Re: [Cooker-firewall] Ports Forward and Proxy Problems
"Gael Martin" <[EMAIL PROTECTED]> writes: > Hi > Well here it doesn't. > All I've done is go to add port 21 and 80 and forward it to the respective > machine. But as soon as I put 21 it just blocks the HTTP traffic. The > browser says, "Web Site found. Waiting for reply" and stay like that for > ever. > It seems that the packet don't get to the internal machine when port 21 is > open. Now if I open 22 instead it works but not the FTP though. > I'm sending you screen shots of the 3 tabs so you can tell me if I'm doing > anything wrong. > > Gael Hello there, I have just installed the old version of the snf and you are absolutely right, there is a problem with squid and ftp port-forwarding ... I'll have a look again and try to find the bug ... Thank you ... I have never seen this before. I have received your screenshots and everything seems fine. cheers, -- Florin http://www.mandrakesoft.com
RE: [Cooker-firewall] Ports Forward and Proxy Problems
Sorry to be pain in the arse but this still doesn't work. I've open port 20 and 21 (TCP) and forward this to anoter mandrake box with proFTPd (IP 192.168.0.251) to set FTP in active mode. I've also open 80 and forward it to another machine with apache (IP 192.168.0.23) this works fine and doesn't affect the proxy. But as soon as I open port 21 the internet connection is broken. Altough I can see in /var/squid/log/access.log that people are trying to connect but they can't get anywhere. Basically the browser says "Web page found..." but just doesn't display it. after a long while it eventually time out. All the other things seems to work (FTP, POP, etc... just HTTP is broken). I can open other ports and the thing just works fine but not port 21. I've attached my config (the one you get by doing backup) if that help. Even if the actual service i.e. proFTPd is not running or the machine is not powerup the proxy refuse to display the pages if I've got port 21 open, so I don't think is something to do with proFTPd. Also I was trying to change apache port on the second machine (192.168.0.23) to use 81 instead and then open port 81 on SNF but this wouldn't work either (I've tried 8080, 79, and other numbers but it seems to me that I can only reach my internal web server from outside if it is setup on port 80 (I've tried to access locally using port 81 and this worked fine). That's a shame since I'd like to be able to open several web servers. BTW: when you say open all high ports what do you actually mean? have I got to manually open all ports above 1024? Thanks Gael > Hello there, > > here are two points of view for the ftp connections with a firewall: > >- open tcp ports 21 (control) *and* 20 (data) in > incoming traffic on the >firewall to allow active ftp from the clients >- open tcp port 21 and all high ports (> 1024) on the > firewall to allow >passive clients > > I have set here squid in transparent mode and the I did a > port forwarding > of ftp to some internal ftp server using proftpd. > > with ncftp or lftp lftp clients, connect and then type : set > passive off > (ncftp), or set ftp:passive-mode off and then you will be > able to connect ... > > squid and ftp port-forwarding work together ... > SystemName=firewall DomainName=dummyDomain.com DNSPrimaryIP=62.128.xxx.xxx DNSSecondaryIP= AdminInterface=eth0 FullAdminName=admin ChangeAdminPasswd='set: change-password.pl' CurrentMirror=ftp://ftp.stealth.net/pub/mirrors/ftp.mandrake.com/Mandrake/updates PackagesList=squid OfficialList='get: mirrors.pl' PackagesToUpdate='get: packages_to_update.pl' PackagesToDownload='get: download_packages.pl' PackagesToInstall='get: rpm-install.pl' PackageDescription='get: show_description.pl' DHCPClient=dhcp-client DHCPServer=off DHCPInterface=eth0 DHCPServerEnd=254 DHCPServerStart=65 DHCP_LEASE_DEFAULT=21600 DHCP_LEASE_MAX=43200 DNS_SERVER_DYN_UPDATE=Y DNS_UPDATER_SECRET=Y SYSLOGLocal=yes SYSLOGTargetServer= SYSLOGTargetServerLevel= SYSLOGTty=tty12 SYSLOGTtyLevel=alert PreludeState=off SnortState=off SnortLogs='get: snortsnarf.sh' MessagesLogs='get: logs.pl' DynDnsAccount=dnsaccount DynDnsPassword=dnspassword DynDnsService=off DNSServer=off TimeZoneList='get: timezone.pl tzlist' Zone=GMT ChangeDate='set: date.pl $md5 ' NTPServer= ServicesList='get: services.pl list' ServiceStatus='get: services.pl status' ServiceRestart='set: services.pl restart' ServiceReload='set: services.pl reload' ServiceStart='set: services.pl start' ServiceStop='set: services.pl stop' ServiceRemove='set: services.pl remove' ServiceAdd='set: services.pl add' SquidServer=transparent SquidParents=N SquidPort=3328 SquidCacheDir=/var/spool/squid SquidCacheSize=100 SquidWarningMesage=mailto:[EMAIL PROTECTED]>Mail to Admin SquidWarningMesagePosition=Bottom [EMAIL PROTECTED] SquidRedirector=squidGuard SquidAnonymizer=Y SquidGuardAddPrivilegedIp='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/privilegedsource/ips -a ' SquidGuardDeletePrivilegedIp='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/privilegedsource/ips -d' SquidGuardPrivilegedIpsList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/privilegedsource/ips -l' SquidGuardAddBannedIp='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/bannedsource/ips -a ' SquidGuardDeleteBannedIp='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/bannedsource/ips -d' SquidGuardBannedIpsList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/bannedsource/ips -l' SquidGuardAddLansourceNetworkMask='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/lansource/lan -a ' SquidGuardDeleteLansourceNetworkMask='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/lansource/lan -d' SquidGuardLansourceNetworkMasksList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/lansource/lan -l' SquidGuardAddBanneddestinationUrl='set: squidGuard_manage.pl $md5 /u
Re: [Cooker-firewall] Ports Forward and Proxy Problems
"Gael Martin" <[EMAIL PROTECTED]> writes: > Hi All. > I've got an LAN connection to the internet (ADSL) plug into my SNF and on > the other end my internal network. I've set up the transparent proxy server > so that all request to port 80 from internal network are redirected to port > 3228 of squid. Everything was just working fine until I decided to make one > of my internal machine available outside the internal network. I've set up > my internal FTP server and then went on SNF (Restrict Access/Internet > Traffic) to add the FTP port to the list of public traffic allowed and then > put the IP address of my internal machine 10.0.0.23 into the forward to > internal host box. Give the FTP connection details to some guys outside the > internal network, he connected OK to the FTP machine downloaded and uploaded > OK, fantastic. But half an hour later some guys from the internal network > came to me saying "We can't connect to the internet anymore". I've looked > for ages until I finally found that as soon as I removed the FTP port > forwarding in SNF it works again. So I can't have the proxy server and port > forwarding working at the same time which is really annoying. > What am I doing wrong? > If someone could give a workaround on this one I'll be very glad. > BTW : I've tried with manual proxy with and without auth and it still don't > work. > It seems to me that it's only the http packet that get lost somewhere > because I can still use ftp or pop when I turned port forwarding ON. > Gael > > > Hello there, here are two points of view for the ftp connections with a firewall: - open tcp ports 21 (control) *and* 20 (data) in incoming traffic on the firewall to allow active ftp from the clients - open tcp port 21 and all high ports (> 1024) on the firewall to allow passive clients I have set here squid in transparent mode and the I did a port forwarding of ftp to some internal ftp server using proftpd. with ncftp or lftp lftp clients, connect and then type : set passive off (ncftp), or set ftp:passive-mode off and then you will be able to connect ... squid and ftp port-forwarding work together ... -- Florin http://www.mandrakesoft.com
[Cooker-firewall] Ports Forward and Proxy Problems
Hi All. I've got an LAN connection to the internet (ADSL) plug into my SNF and on the other end my internal network. I've set up the transparent proxy server so that all request to port 80 from internal network are redirected to port 3228 of squid. Everything was just working fine until I decided to make one of my internal machine available outside the internal network. I've set up my internal FTP server and then went on SNF (Restrict Access/Internet Traffic) to add the FTP port to the list of public traffic allowed and then put the IP address of my internal machine 10.0.0.23 into the forward to internal host box. Give the FTP connection details to some guys outside the internal network, he connected OK to the FTP machine downloaded and uploaded OK, fantastic. But half an hour later some guys from the internal network came to me saying "We can't connect to the internet anymore". I've looked for ages until I finally found that as soon as I removed the FTP port forwarding in SNF it works again. So I can't have the proxy server and port forwarding working at the same time which is really annoying. What am I doing wrong? If someone could give a workaround on this one I'll be very glad. BTW : I've tried with manual proxy with and without auth and it still don't work. It seems to me that it's only the http packet that get lost somewhere because I can still use ftp or pop when I turned port forwarding ON. Gael
